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—^ Abstract 

^N In this paper we give the first proof that, under reasonable assumptions, a problem related to 

'" 1^ counterfeiting quantum money from knots [I] is hard. Along the way, we introduce the concept 

^_. of a component mixer, define three new classical query problems and associated complexity 

, classes related to graph isomorphism and group membership, and conjecture an oracle separating 

QCMA from QMA. 

^ 1 Introduction 

5^ Quantum money from knots is a cryptographic protocol in which a mint produces a quantum state 

^ |$f). Anyone can verify that the state came from the mint, and hopefully it is intractable to copy 

I ^1 the state. The quantum state is described by a set S which is partitioned into components. (In 

practice 5 is a set of knot diagrams with bounded complexity and the components are the sets of 

(^ knots with the same Alexander polynomial.) 

T-H We hope to prove the security of an abstracted version of the protocol in which adversaries have 

^N only black-box access to an idealized version of knot-theoretic operations [2_ . In this abstracted 

f— «) version, the quantum state is a superposition of n-bit strings (n is a security parameter chosen 

1^ by the mint). All of those strings come from a large set S, and the state |$^) = J2x<^Se 1-^) ^^ ^^^ 

(^ uniform superposition of strings in the £ component. 

^~~' All parties (the mint, honest users of money, and any adversaries) have access to two black-box 

• . operations. They have access to a "component mixer" (defined below) that invertibly maps any 

.J^ string to a new almost uniformly random string in the same component. They also have access to a 

^ labeling function that determines which component any element is in. (In the concrete scheme, the 

component mixer does not fully mix within the components. We ignore that issue here.) 

To prove hardness results related to counterfeiting quantum money, we need an appropriate 
computational assumption. We find this assumption in a new class of query problems based on 
component mixers. 

All of these problems involve a large set that is partitioned into components. An algorithm 
must use black-box queries to a component mixer to answer questions about the components. 
The algorithm is not given access to a labeling function. The same component problem is: are 
two given elements in the same component? The multiple components problem is: is there 
more than one component (as opposed to just one)? If we promise that either there is only one 
component or no component contains a majority of the set, then the MULTIPLE COMPONENTS 
problem becomes multiple balanced components. Finally, on a quantum computer, the 
COMPONENT SUPERPOSITION problem is to prepare the uniform superposition of all elements in 
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The class. . . 


... is in. . . 


. . . and oracle-separated from 


SCP 


NP, SZK 


CO-MA, hopefully BQP 


MCP 


QMA, NP^°-NP, NP™-SCP 


BQP, hopefully QCMA 


MBCP 


MCP, AM, CO-AM, SZK, 
gppSCP 


hopefully QCMA 



Table 1: Component problems have a home in the complexity zoo. 

a component given as input one element in that component. (The classical analog, producing a 
uniformly random sample from a component, is easy by assumption.) 

These types of questions are natural abstractions of graph isomorphism and group membership. 
Graph isomorphism is the problem of deciding whether two graphs are equivalent up to a permutation. 
The complexity of graph isomorphism is unknown on both classical and quantum computers. Group 
membership, on the other hand, is the problem of deciding whether an element of some large group 
is in a particular subgroup of that group. The subgroup is specified by its generators, and the group 
structure is given either as a black box or in some explicit form such as a matrix representation. 
In the black-box setting, group membership is hard on classical computers j3| but has unknown 
complexity on quantum computers. 

For graph isomorphism, the big set would be the set of all graphs of a given size and the 
components are isomorphism classes of graphs. The component mixer permutes the vertices of a 
graph. Testing whether two graphs are isomorphic reduces to the same component problem. 

For group membership, the big set would be a large group and the components would be cosets 
of a subgroup that is described only by its generators. The component mixer would multiply by 
an element of the subgroup. The group membership problem reduces to an instance of same 
COMPONENT: testing whether a given element is in the same component as the identity. The 
multiple balanced COMPONENTS problem would determine whether the given generators generate 
the entire group or a proper subgroup. 

Each of these query problems naturally defines a complexity class. SCP, MCP, and MBCP 
are the sets of languages that are polynomial-time reducible to the same component problem, 
multiple components problem and multiple balanced components problem. We relate all 
three classes to commonly-used complexity classes. Our results are summarized in the table above. 

These problems and classes are immediately interesting for two reasons. First, if same compo- 
nent is hard on a quantum computer, then we have evidence for the security of a quantum money 
protocol [T]. Second, MCP and MBCP are candidates for a classical oracle separation between 
QCMA and QMA. (Group membership does not work directly because it has too much structure 

mo 

2 Definitions 

Throughout this paper, we use some basic terminology. We say that a €ji i3 if a is a uniform 
random sample from B. A function / : N — >■ M is negligible if for all y there exists Ny such that 
/ (x) < x~y for all X > Ny. Intuitively, negligible functions go to zero faster than the reciprocal of 
any polynomial. Finally, the total variation distance between two distributions with probability 
density functions p and q over a set D is 

^ E IP(e) - q{e)\ = sup \p{A) - q{A)\ . 



The total variation distance is sometimes referred to as the statistical difference, and it is analogous 
to the trace distance between density matrices of mixed quantum states. 

All of the problems we consider are questions about a large set S. For consistency in defining the 
size of the problems, we take n to be the number of bits used to represent an element of S. The set S 
is partitioned into components, and access to the components is given through a family of invertible 
maps that takes an element of any component of 5" to a new element of the same component. The 
maps constitute a component mixer if a uniform random choice of the map produces a uniformly 
random output. 

Definition 1. A family of one-to-one maps {Mi} is a component mixer on a partition {Si, . . . , Sc} 
of a set S if: 

• The set S" is a subset of n-bit strings. 

• The family is indexed by a label i from a set Indj\/ , and each i can be encoded in O (poly (n) ) 
bits. 

• The functions {Mi} do not mix between components. That is, for all i and a, if x G Sa then 
Mi (x) G Sa as well. 

• The functions {Mi} instantly mix within each component. That is, for all a and x £ Sa, if 
i G/j Indjvf, then the total variation distance between Mi (x) and a uniform sample from Sa is 
no more than 2"""^. 

The last condition is often easy to satisfy directly. For graph isomorphism, if Indj\/ is the set 
of permutations. Mi can apply the permutation z to a graph. For group membership, if Ind^f 
is a sequence of coin flips that can generate a nearly uniform sample from the subgroup (e.g. a 
straight-line program as in j2]), then Mi can multiply by the element of the subgroup implied by 
the coin fiips. In general, given a Markov chain over S that does not mix between components but 
mixes rapidly over each component, each step of which consists of choosing uniform random sample 
from a set of invertible rules and applying that rule, then iterating that Markov chain to amplify its 
spectral gap will give a component mixer. 

In graph isomorphism, generating a random graph, testing whether some encoding of a graph 
is valid, and generating a random permutation to apply to the vertices are all easy. Similarly, in 
group membership, generating a random element of the whole group (as opposed to the subgroup) 
is easy, as is generating a random element of the subgroup. When we abstract these problems to 
component mixer problems, we want the corresponding operations to be easy as well. This leads to 
our definition of query access to a component mixer. 

Definition 2. An algorithm has query access to a component mixer {Mi} if the algorithm can do 
each of the following operations in one query with failure probability no more than 2~". 

• Test an n-bit string for membership in S. 

• Generate an uniform random sample from S. 

• Test a string for membership in Indjvf- 

• Generate an uniform random sample from IndAf . 

• Given s £ S and i G IndM, compute Mj (s). 



• Given s G S* and i G IndM, compute M^ (s). 

If we are considering quantum algorithms, we want to give the algorithm some quantum power. 
For example, in graph isomorphism, generating a uniform quantum superposition of all graphs is 
easy, as is generating a uniform quantum superposition of all members of the permutation group [6J . 
We give quantum component algorithms the equivalent powers. 

Definition 3. An algorithm has quantum query access to a component mixer {Mi} if the algorithm 
can do each of the following operations coherently in one query with failure probability no more 
than 2"": 

• Test an n-bit string for membership in S. 

• Generate the state J2s^s N) °i' measure the projector onto that state. 

• Test a string for membership in Indjvf- 

• Generate the state X^ieindM 1^) ^^ measure the projector onto that state. 

• Compute the "controlled-M" operator, abbreviated CM. CM takes three registers as input: 
the first is the number —1, 0, or +1, the second is a string i, and the third is an n-bit 
string s. On input \a,i,s), CM\a,i,s) = |a,i,M"(s)) if i G IndM and s G S; otherwise 

CM \a,i, s) = \a, i, s). 

As a technical detail, we assume that any algorithm given (quantum) query access to a component 
mixer {Mi} knows both n and the number of bits needed to encode an element of Indjv/- 
We can now state the definitions of our query problems. 

Definition 4. The same component problem is: given query access to a component mixer {Mi} 
on a set S and two elements (s, t) G S, accept if s and t are in the same component of S. 

Definition 5. The multiple components problem is: given query access to a component mixer 
{Mi} on a partition {5*1, . . . , Sc}, accept if c > 1. 

Definition 6. The multiple balanced components problem is: There is a partition {Si, . . . , Sc} 
with the promise that either there is only one component or no component contains more than half 
the elements in S. Given query access to a component mixer {Mi} on that partition and the string 
0", accept if c > 1. 

On a quantum computer, we can also try to generate the uniform superposition over a component. 

Definition 7. The component superposition problem is: given quantum query access to a 
component mixer {Mi} on a set S and an element s £ S, output the state 

where Sj is the (unknown) component containing s. 

The decision problems can also be viewed as complexity classes. We define the class SCP to be 
the set of languages that are polynomial-time reducible to the same component problem with 
bounded error. Similarly, we define MCP by reference to multiple components and MBCP by 
reference to multiple balanced components. 



3 Basic properties of component mixers 



Lemma. (Component mixers are fully connected) // s and t are in the same component, then there 
exists i such that t = Mi (s) . 

Proof. Assume the contrary. Suppose s and t are in the same component Sj and let A = 
{Mi (s) : i £ IndMJ- By assumption, t ^ A. This means that the variation distance between 
Mi (s) (for i G/j Ind^f ) and a uniform sample on Sj is 
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>2~"~" > 2" 
which contradicts the fact that M is a component mixer. 
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A uniform quantum superposition over all of the elements in one component is a potentially 
useful state. It is not obvious whether a quantum computer can produce or verify such a state with 
a small number of queries to a component mixer, but it is possible to verify that a state is in the 
span of such superpositions. 

Lemma. (Quantum computers can project onto component superpositions) A quantum computer 
can, with a constant number of queries to a component mixer, measure the projector 

k V'^^U,j/e5fc 

with negligible error as a function of n. 

Proof. Starting with a state |V'), we give an algorithm to measure P on 1-0) . The algorithm uses 
three registers: |0) starts in register A] registers B and C are ancillas. -B's computational basis 
is Ind^ and C holds a single bit. To simplify the notation, we write the uniform superposition in 
register B as |eo) = |IndM|~ zli K)m- The algorithm is: 

1. Initialize register B to |eo)_B and register C to |0). This gives the state 

|0i) = |V')A|eo)i?|0)c. 

2. Apply controUed-M with the control set to 1. This is equivalent to applying M unconditionally. 
Let Mj be the quantum operator corresponding to the action of Mj on register A. That is, 
{s'\Mj\s) = {s'\Mj{s)). With this notation, the action of this step on registers A and B is 
U = {y^. Mj (g) \j){j\). The resuhing state is 

102) = f/|V')A|eo)B|0)c 

= \eo)BB{eo\U\ip)A\eo)B\0)c + (1 - |eo)BB(eo|) U\ip)A\eo)B\0)c 



3. Apply the unitary operator |eo)_B_B(eo| Xq + (1 — |eo)_BB(eo|) ^ Ic- This sets register C to 
|1) is register B is stih in the state |eo). The state is now 

103) = |eo)BB(eo|f^|^)A|eo)B|l)c + (1 - |eo)BB(eo|) ^|V')A|eo)B|0)c- 

4. Uncompute step 2 by applying C/"^. This gives 
|'/'4) = C/^|eo)iJij(eo|C/|V')A|eo)B|l)c + f/^ (1 - |eo)Bij(eo|) C/|^)A|eo)ij|0)c 

= (c/^|eo)BB(eo|f/) |V')A|eo)ij|l)c + (l - C/^|eo)BB(eo|f/) |V')A|eo)ij|0)c. 

To simplify this result, observe that the matrix |IndM|~ X^i ^j is the Markov matrix obtained 
by applying one of the Mj uniformly at random to an element of S. From the definition 
of a component mixer, |IndM|~ Si ^j ~ P ■ Furthermore, P\ip) has the form aX^xeSa I"*") 
for some a and a, and M^ preserves the set Sa-, so MjtP\tp) = P|^) for all k. Using these 
observations, we can simplify 

U^\eQ)BB{eo\U\iP)A\eQ)B= \Y,Ml(^\k)BB{k\\ |eo)Bij(eo| I]Mi»U)(j| ) |V'>A|eo)B 

= \y.Ml®\k)BB{k\\ |eo)B|IndMr' I E ^^i 
- \Y.H®\k)BB{k\\p\ij)A\eQ)B 

BB{k\ j |^)A|eo)B 

A\eo)B- 
Plugging this in, we have 

\<p4) ~ P\i^)A\eo)B\l)c + (1 - i^) |V'>A|eo>B|0)c 

with negligible error. 

At this point, register B is unentangled with the rest of the system, register C contains the outcome 
of the measurement we wanted, and register A contains the correct final state. D 

On a quantum computer, SAME COMPONENT reduces to COMPONENT SUPERPOSITION: given 
two initial elements, a swap test can decide with bounded error whether their respective component 
superpositions are the same state or non-overlapping states. 

4 Placing component mixer problems in the complexity zoo 

4.1 Inclusions 

Several of the complexity class relationships in Table[T]are straightforward. Multiple COMPONENTS 
is a relaxation of multiple balanced components, so MBCP C MCP. The "component mixers 
are fully connected" lemma implies a simple NP algorithm for same component, so SCP C NP. 
Multiple components can be restated as "do there exist two objects that are not in the same 
component?", so MCP C NP'=°-S*^'^ and hence MCP C nP=°-^p. 

In the appendix, we give two Arthur-Merlin protocols for multiple balanced components: 




A protocol to prove a "yes" answer. In this protocol, Merlin solves the same component 



problem on input given by Arthur (appendix A.l ). 



A protocol to prove a "no" answer (appendix A. 2) 



The existence of these protocols implies that MBCP Q AM, BPP , and co-AM. We also give a 



QMA protocol for multiple components (see appendix A.3). 

Same component is reducible to statistical difference: to test whether s and t are in the 
same component, choose i,j €ji IndM and test whether Mi{s) and Mj{t) have the same distribution. 
Statistical difference is complete for SZK, so SCP C SZK [7^ . 

Multiple balanced components also reduces to statistical difference: choose a,h ^r S 
and i, j Er IndM- If there are multiple balanced components, then the predicate that the first 
two and last two elements of (a, Mi(o), 6, Mj(6)) are in the same component holds w.p. 1, whereas 
the same predicate holds on four independent uniform samples from S w.p. at most 1/4. This 
means that the variation distance between (a, Mi(a),b, Mj(b)) and four independent samples is at 
least 3/4. If, on the other hand, there is only one component, then {a, Mi(a),b, Mj(b)) is negligibly 
different four independent samples from S. Therefore, multiple balanced components reduces 
to statistical difference on the distribution of {a, Mi{a) ,b, Mj{b)) versus four independent 
uniform samples from S. Hence MBCP C SZK. 

4.2 Separations 

SCP contains group membership (relative to any oracle) and group membership is not in co-MA for 
black-box groups [3], so SCP ^ co-MA relative to an oracle. 

The quantum query complexity of MULTIPLE COMPONENTS is exponential by reduction from the 
Grover problem (see appendix pi). This implies the existence of an oracle separating MCP and BQP. 

4.3 Conjectured separations 

We conjecture that there is no QCMA or co-QCMA proof for multiple components or even 
MULTIPLE BALANCED COMPONENTS, which would imply the existence of an oracle separating MBCP 
from QMA and hence QCMA from QMA. 

We further conjecture that multiple balanced components has superpolynomial randomized 
and quantum query complexity. This conjecture would imply that MBCP is separated from BPP 
and BQP by an oracle. 

5 A hardness result for counterfeiting quantum money 

We are now ready to prove a hardness result for counterfeiting quantum money. Recall that the 
quantum money state is defined [21 [I] as 

where Si is a component of a partition of a big set S and an adversary is given access to a component 
mixer for that partition. Unlike the other component mixer problems we have discussed, an adversary 
also has access to a labeling function L that maps each element of S" to a label that identifies which 
component that element is in. 

We show that, if an attacker is given one copy of \$i) and measures it in the computational basis, 
then, under reasonable assumptions, the attacker cannot recreate the state. That is, given some 
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s £ Si (i.e. the measurement outcome), it is hard to produce 1$^). We caU this type of attack simple 
COUNTERFEITING. Our assumption is that the quantum query complexity of SAME COMPONENT is 
superpolynomial. 

Definition 8. The SIMPLE counterfeiting problem is: given quantum query access to a compo- 
nent mixer {Mi} on a set S, quantum query access to a function L that maps each element of S to 
a unique label identifying the component containing that element, and an element s G S, output 
the state 

where Sj is the component containing s. 

Simple counterfeiting is the same problem as component superposition except that the 
algorithm also has access to the labeling function. This makes the problem seem easier; for example, 
same component and multiple balanced components both become trivial with access to 
the labeling function. We show that the labeling function is unhelpful for the purpose of simple 

COUNTERFEITING. 

Theorem. // the quantum query complexity of COMPONENT SUPERPOSITION is superpolynomial, 
then the quantum query complexity of SIMPLE COUNTERFEITING is also superpolynomial. 

Proof The simple counterfeiting and component superposition problems differ in that 
SIMPLE COUNTERFEITING is given access to a label that identifies components. Calculating such a 
label given only a component mixer is at least as hard as solving simple counterfeiting in the 
first place, so we won't be able to provide a valid label. The idea behind the proof is to show that a 
correct labeling function is not very helpful for solving SIMPLE COUNTERFEITING, and that, given a 
component mixer, we can efficiently provide a label that is indistinguishable from a valid label in 
polynomial time. 

We assume for contradiction that we have a quantum query algorithm "alg" that solves SIMPLE 
COUNTERFEITING in n^ queries for sufficiently large n. Alg is given quantum query access to a 
component mixer and labeling function and it is promised that the labeling function is consistent 
with the component mixer. It takes as input an element s G Sj for some j. It makes n quantum 
queries and produces a mixed state p as output. The trace distance between p and the desired 
output state i— - J2u&s- I"") i^ ^ negligible function of n. 

We give an algorithm that solves component superposition with high probabihty using alg 
as a subroutine. 

As input, we have quantum query access to a component mixer on n bits and an n-bit string s. 
This means that the space of n bit strings is partitioned into components Si, . . . , Sc and a set of 
"garbage" strings G = {0, l}" \ (5*1 U • • • U Sc), where c is the (unknown) number of components. 
We are not given access to a labeling function. WLOG, we assume that s & Si. 

We define an instance of simple counterfeiting on 2n-bit strings that can be used to solve the 
original component superposition problem. To simplify the notation, we treat each 2n-bit string 
as a pair of binary numbers, each between and 2" — 1. In our instance of SIMPLE counterfeiting, 
the components are {0} x Si, ... , {0} x Sc and {0} x G. Each other element (that is, everything 
that has something nonzero as its first n bits) is its own component. We use the component mixer 

I (r, z) otherwise 
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and incorrect label 

L<»)(r..) = |<»-°' '"■ = " . 

{{r, z) otherwise 

The label L^^^ violates the promise of simple counterfeiting (it assigns the same label to ah 
of the components in the original component mixer), so the SIMPLE COUNTERFEITING algorithm 

run directly on I M^ > and L^^' might fail. However, the only way to detect that L^^' is invalid is 
to query it on some input of the form (0, t) for t S 52 U • • • U Sc- Those inputs are an exponentially 
small fraction of the domain of L^'^' and we can hide them by randomly permuting L^^' and M^ , 
giving this algorithm: 

1 . Choose independent random permutations vr and a on Z21 x Z2" . tt indicates where each 2n-bit 
string is hidden in the permuted problem and a scrambles the labels. (These permutations will 
take an exponential number of bits to specify, but they can be implemented with no queries 
to {Mi}.) 

2. Run alg on j vr o M^ o tt^^ I and a o L^^> o vr^^ with the initial element vr (0, s). 

3. Apply vr"^ coherently to the quantum state that alg produces. 

4. Output the last n qubits of the result. 

If aoL'^^' oir were a valid label function for the component mixer < tt o M^ o vr >, then this algorithm 
would succeed on each try w.p. negligibly different from 1. We will prove that the invalidity of the 
labeling function is well enough hidden that the algorithm works anyway. 

To prove this, we assume the contrary: there is some {Mi} for which this algorithm fails with 
nonnegligible probability. This means that the actual output of our algorithm differs nonnegligibly 
in trace distance from the desired output. Such a difference would be detectable if we knew what 
the correct output was; we will show that this is impossible by solving the Grover problem more 
quickly than is allowed by the BBBV theorem using alg as a subroutine. 

We generalize the functions M^ and L^^' to a larger family that encodes a Grover search 
problem. We can picture {M^ } as an embedding of the original problem in the first row of a grid 
in which the first n bits is the row index and the last n bits is the column index (see Figure M — the 
unmarked squares are their own components). There are many other ways we could have embedded 
the original problem, though. (These other embeddings are well-defined, but they are difficult to 
calculate without access to a labeling function for the original problem.) In particular, we could 
have placed everything except Si on a different row. If we put the other components on the j row, 
we get 

{(0,0) ifr = 0andzG5i 
(0,0) ifr = jandz^Si 
(r, z) otherwise 

and 

{(0,Mi(z)) ifr = 0andzG5i 

{j,Mi{z)) ifr = j andz^Si. 

(r, z) otherwise 

Alternatively, we could leave them out entirely, giving 



^nowhere (^ ^) = J (°' ^^ if r = and Z G Si 
[ (r, z) otherwise 

and 

^nowhere frz) = l ^^' ^' ^^^^ if r = and Z G ^1 
[ (r, z) otherwise 

We can't efficiently implement queries to L"°"^^'^^ M'^°™'^'''■^ L^^) or M^^^ for j / 0, but, if we 
could and if simple counterfeiting didn't notice that the label function was invahd, then the 
output on any of instances with starting element (0, s) would be 

E io)i^)' 

zeSi 

the latter n qubits of which is exactly the state we wanted. 

The function ^n°™here jg ^ valid labeling function, but all of the L^^' are invalid because they 
take the same value on the images of Si, . . . ,Sc even though they are in different components. 
Nonetheless, they look valid as long as no one ever queries them on the images oi S2, ■ ■ ■ , Sc, which 
collectively represent less than a 2"" fraction of all possible queries. 

We formalize this notion by a reduction from the Grover problem. Suppose g : Z2" — >■ {0, 1} is 
a function that outputs 1 at most one input. By the BBBV theorem fS], the query complexity of 
distinguishing a random point function g from all zeros is O ( 2" " j . Using our algorithm for SIMPLE 
COUNTERFEITING as a Subroutine, we will attempt to decide whether g maps any value to 1. We do 
this by allowing g to select which embedding to use. This gives the "labeling" function 

if r = and z (^ Si 
L^3] (r, z) = <j (0, 0) if g{r) = 1 and z (^ Si 
otherwise 




and component mixer 



{0,Mi{z)) if r = Oand 2 G ^i 
{j,Mi{z)) ifg{r) = l 
(r, z) otherwise 



M,[^l ((r, z)) = { (j. Mi {z)) if g{r) = 1 and z ^ Si . 



If g{j) = 1 for some j, then Lt^l = L^-') and m]^' = m}^'^; otherwise Lt^l = Ln°"here ^^^^ ^[3] ^ 
j^jnowhere^ It is possible to evaluate either U^l (j-^ z) or M]^' (r, z) with a very large number of queries 
to the original component mixer {Mj} and one query to g (r). (Evaluating the functions coherently 
requires a second query to g (r) to uncompute garbage.) 

If we choose independent random permutations vr and a on Z2" x'L2" and run alg on -^ vr o Mf o vr^"*^ > 
and a o L^s] o vr — l with initial state vr (0, s), the output of the algorithm is some mixed state that 
depends on g. Let pQ be the density matrix of that mixed state if g is all zeros and let Ppoint be the 
density matrix if (7 is a uniformly random point function. 

Claim. \\po — /OpointHtr ^^ ^ negligible function of n. 

Proof. Assume the contrary: \\pQ — PpointHtj. ^ 'n~ for some fixed k and an infinite sequence of 
values of n. If we run alg on Ll^l and Mf \ we can then decide whether the output is po or Ppoint 
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Figure 1: There are 2" + 1 ways to hide components that are hard to labeL 

and therefore whether g is all zeros or a point function by measuring the output. We will get the 
right answer w.p. at least ^ + ^^^. We can amplify n times to get the right answer w.p. at least 

2/3 by a Chernoff bound. By assumption, alg makes vJ' queries to L'^' and MJ . That means that, 
queries, we can determine whether g{i) = 1 for any j, which is impossible by 



m n 



r+2k 



o n 



7,«/2 



the BBBV theorem. Therefore \\po — Ppointlljj. is a negligible function of n. 
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It follows that, if we apply vr"-*^ to pQ and to Ppoint) the results differ negligibly in trace distance. 
The result of applying vr"^ to po is the uniform superposition over {0} x Si up to negligible error 
because if (7 = then alg's promise is satisfied and it produces the correct answer. Furthermore, 
if we set g (0) = 1, then the output distribution is still po because the distribution of component 
mixers and labels seen by alg is independent of which point function we choose. This means that 
7T~^ applied to the output of alg on j vr o M^ o vr^^ > and a o L^^> o vr^^ with initial state vr (0, s) 
differs negligibly from the uniform superposition over {0} x Si in trace distance. 

This contradicts the assumption that there exists some input on which our algorithm fails, so 
our algorithm solves COMPONENT SUPERPOSITION with negHgible error. D 

We can replace the assumption that component superposition is hard with the assumption 
that SAME component is hard because same component reduces to component superposition. 

6 Open problems 

There are a number of open problems related to this work. 
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Ideally, we would prove the impossibility of more general forms of counterfeiting. If we could 
show that, given one copy of 1$^) for some i, it is hard to produce a second copy of \$e), then we 
would know that (in a black-box model) quantum money could not be counterfeited. An even 
better result would be collision-freedom: that is hard for anyone to produce a state of the form 
1$^) 'X> 1$^) by any means, even for a random i of an attacker's choice. (Collision- freedom implies 
that copying is impossible: if an attacker could copy a given quantum money state, then the output 
of the algorithm would be contain two copies of |$£) for the value of i implied by the input.) 

It should be possible to prove quantum lower bounds on the query complexity of same com- 
ponent and MULTIPLE BALANCED COMPONENTS. This would strengthen the hardness result for 
counterfeiting quantum money. 

A classical oracle separating MCP and QCMA would also separate QMA and QCMA. We 
conjecture that an appropriate worst-case component mixer would work, but we have no proof. 

A cryptographically secure component mixer could be a useful object, and a good cryptographi- 
cally secure component mixer with an associated labeling function would give a better quantum 
money protocol than quantum money from knots. (Knot invariants have all kinds of unnecessary 
properties.) If we had that as well as a hardness result for generating quantum money collisions, 
then quantum money would be on a sound theoretical footing. 
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A Query protocols for component problems 

A.l An AM query protocol multiple balanced components 

Suppose that Merlin wants to prove to Arthur that some component mixer has multiple balanced 
components. Arthur and Merlin run this protocol: 



Arthur 



Merlin 



1. 

2. 
3. 

4. 


Choose si,S2 G_R, S, i ^r {1,2} 
and j £r IndM- 
Compute t = Mj (si). 
Send si, S2,t to Merlin. 


5. 
6. 


Accept iff i = i'. 



If Si and S2 are in different 
components, compute i' = i. 
Otherwise, choose i' £r {1,2}. 
Send i' to Arthur. 



If {Mj} has multiple balanced components, then with probability at least 1/2, si and S2 are in 
different components. In this case. Merlin will always answer correctly. This means that Merlin 
is correct w.p. at least ^4. If, on the other hand, M has only one component, then i is a nearly 
uniform sample from S (trace distance at most 2~"'~^ < i/s). This means that Merlin can guess i 
correctly with probability at most s/s. With constant overhead, this protocol can be amplified to 
give soundness and completeness errors 1/3. 

Steps 1, 2, 3, 5, and 6 can be done in a constant number of queries to the component mixer 
oracle. Step 4 requires Merlin to solve the same component to decide whether t is in the same 
component as si, S2, or both. This means that if Arthur had the power of SCP (with oracle access 
to {Mj}), then he could run the protocol on his own. 

A. 2 A CO-AM query protocol for multiple balanced components 

Suppose that Merlin wants to prove to Arthur that some component mixer has a single component 
(as opposed to multiple balanced components). Arthur and Merlin run this protocol: 



Arthur 



Merlin 



1. 

2. 
3. 


Choose si, S2 €r S. 
Send si, S2 to Merlin 


4. 
5. 


Accept iff Mj (si) = . 



Choose i Gr Indjv/ such that 

Mj(si)=S2. 

Send i to Arthur. 



S2- 
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If there is only one component, then si and S2 are in the same component and Merhn can find i 
because component mixers are fuUy connected. If, on the other hand, there are multiple balanced 
components, then w.p. at least 1/2, si and S2 are in different components and no such i exists. 

This means that this proof is complete and has soundness error at most 1/2. A constant amount 
of amplification will reduce the soundness error below 1/3. 

A. 3 A quantum witness for multiple components 

Given a "yes" instance of multiple components problem, let Si and 6*2 be two distinct components. 
Then a valid witness state is 

IV'MC) = 

To verify the witness, Arthur first measures the projector of each register onto the space of 
uniform superpositions over components (see section l3|. If either measurement outputs zero, Arthur 
rejects. Otherwise Arthur performs a swap test between the two registers and accepts iff the swap 
test says that the registers are different. 

On a valid witness, Arthur's projections succeed with probability close to 1. The states in the 
two registers have disjoint support (both before and after the swap test), so the swap test indicates 
that the states are different w.p. 1/2. Arthur therefore accepts a valid witness w.p. 1/2. 

If there is only one component then projecting onto the space of uniform superpositions over 
components is equivalent to projecting onto the uniform superposition over S. Therefore, on any 
witness, if Arthur's projections succeed then the post-measurement state is (up to negligible error) 
two copies of the uniform superposition over S. Those two copies are approximately the same state, 
so the swap test says that they are the same and Arthur rejects w.p. near 1. Standard techniques 
can amplify this protocol to give completeness and soundness errors less than 1/3. 

B Multiple components has exponential quantum query complexity 

We can embed an instance of the Grover problem into multiple components. Let g be the 
instance of the Grover problem on n bits (i.e. g : Z21 — t- {0, 1} is either all zeros or a point function). 
Let IndM = Z21 and define the component mixer 

f (x + i) mod 2" a g(x) = g(x + i) = 
Mi{x) = < . 

\^x otherwise 

If g is all zeros then there is a single component but if g{y) = 1 then y is in its own component. The 
function Mi can be evaluated with two queries to (7, so the Grover decision problem on g reduces to 

MULTIPLE COMPONENTS On {Mi}. 

Hence, by the BBBV theorem [5], the quantum query complexity of multiple components is 



^(2-/2). 
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